How to install certificates on Linux

Intro

When running Tableau Server on Linux and need it to connect to secure TabPy or secure Rserve instances (or any other analytics extension over secured channel) for Tableau Server to trust the connection it need to know to trust the certificate analytics extension is using. Some more details about Tableau and trusted certificates are in this post – Tableau and Trusted Certificates for Analytics Extensions.

In this post, I will show you how to install a trusted certificate (root or self-signed certificate) on Linux. Remember Rserve sends to Tableau leave certificate only so you may need to install the whole chain as trusted certificates.

NOTE: Instructions below may not work for your specific Linux version – check with documentation for your exact system.

Certificate formats: PEM, DER, PFX, etc.

There are a few different formats certificate file can be stored in. For the instructions below only PEM and DER are used. Some details about specific formats and how they are related can be found at https://aboutssl.org/cer-vs-crt/.

PEM and DER are just different encoding for the same data. DER is binary and PEM is Base64 encoded DER.

One format can be converted to another with OpenSSL. E.g. to convert DER to PEM run

openssl x509 -inform der -in cert.der -out cert.pem

More examples for how to convert certificate commands are at https://aboutssl.org/ssl-tools/ssl-converter.php.

NOTE: you only need certificates (public part) and not private key for it.

RPM-based Linux Steps

The following are the instructions for RPM-based Linux (CentOS, Fedora, Red Hat, etc.).

Copy PEM certificate to /etc/pki/ca-trust/source/anchors:

sudo cp cert.pem /etc/pki/ca-trust/source/anchors/cert.pem

Run the following command:

sudo update-ca-trust

For the certificate to be picked up by Tableau Server it is recommended to restart the whole machine. Restarting just Tableau Server may work as well but is not guaranteed.

Debian-based Linux Steps

For Debian-based Linux (Debian, Ubuntu, Kubuntu, etc.) use PEM certificate in .crt file. It means the format for the certificate file is PEM, but the file extension is required to be .crt.

First copy certificate file to /usr/local/share/ca-certificates:

sudo cp cert.crt /usr/local/share/ca-certificates/cert.cr

Now run the following command:

sudo update-ca-certificates

For the certificate to be picked up by Tableau Server it is recommended to restart the whole machine. Restarting just Tableau Server may work as well but is not guaranteed.

Additional reading

Related posts:

TabPy v2.2.0 Released

TabPy version 2.2.0 is released:

To install or update to the latest version as usual run

pip install --upgrade tabpy

The release includes fixes for authentication:

  • Fixed bug for scripts with tabpy.query(...) calls for when authentication is configured for TabPy.
  • Fixed bug for TabPy reporting 500 error instead of 401 when it runs without the attached console.
  • Improved authentication security (this is breaking change) – now TabPy returns authentication error when credentials are provided, but it is not configured for it.

Additional reads:

How to Install Trusted Certificate on Mac

With new Tableau Server and Desktop certificate validation happens on Tableau side as explained in Tableau and Trusted Certificates for Analytics Extensions post. So for a certificate to be trusted either the certificate itself (self-signed certificate scenario) or certificate(s) it signed with have to be installed on the client machine as trusted.

This post demonstrates how to install certificate as trusted on Mac OS.

NOTE: This post is just an example and shouldn’t be used as a manual. The steps and UI can be different for your OS version and how it is configured.

First step would be to download the certificate you want to install as trusted on your computer. Remember for Rserve you may need to install the whole chain.

Then start Keychain Access application (Finder -> Applications -> Utilities):

In the app go to System Keychains, then Certificates, and drag and drop the certificate you want to install there.

You will see a message about newly installed certificate to be not trusted:

Right-click the certificate and select Get Info menu item:

In the dialog which appears for the certificate information open Trust section and set Secure Sockets Layer (SSL) option to Always Trust. Close the window and confirm the red icon and warning message for the certificate is gone.

Next select New Certificate Preference… item in the context menu for the certificate:

And in the pop-up dialog enter the exact fully qualified domain name (FQDN) the certificate is issued for. Click Add button.

Now the certificate is installed as trusted and for it to be validated and accepted it is recommended to reboot the machine. In general most of certificates modifications on a machine are recommended to have following reboot.

It may be enough (but not guaranteed to be) to restart Tableau Desktop. For how to configure secure connection in Tableau Desktop read Tableau Desktop 2020.1: Advanced Analytics Improvements and How to configure TabPy with authentication and use it in Tableau.

Tableau and Trusted Certificates for Analytics Extensions

What is a Trusted Certificate?

Starting from Tableau Server 2020.2 analytics extensions are configured with admin UI and not with TSM (more details here – Multiple Analytics Extensions Connections with Tableau Server 2020.2). And if a connection is secured (Require SSL checkbox is on) Tableau will validate certificate used by TabPy, Rserve or any other analytics extensions.

For the certificate to be trusted there are a few checks: it should be issued to the host where the analytics extensions is running, dates (valid after/before) are valid, the certificate is signed with another certificate Tableau Server trusts and some other checks. But what certificates are trusted?

Each OS ships with preinstalled trusted certificates and anything signed with any of those trusted certificates is trusted (considering all other checks mentioned above pass). Each OS has its own way of installing a trusted certificate – refer to your OS documentation.

Leaf VS Whole Chain Certificate

When analytics extension sends it certificate to Tableau it can either send the whole chain (including all the certificates it signed with) or just the very last in the chain certificate (leaf certificate).

For example, we have certificate issues for machine my-server-cert which is signed with my-org-mid-cert, which is signed with my-org-root-cert:

NOTE: number of mid-certificated can be any, but there could be rules on how deep the chain can be to not be rejected.

TabPy, if uses my-server-cert from the example above sends to Tableau the whole chain.

If the my-server-cert is installed on Tableau Desktop or Server machine as trusted – validation for it passes. Otherwise, if my-org-mid-cert is trusted – my-server-cert is trusted as well. And finally, if my-org-root-cert is trusted – my-org-mid-cert and my-server-cert are trusted. This means it is sufficient to install my-org-root-cert as trusted on the Tableau machine to make the whole chain trusted.

Rserve, when configured to use the same certificate as on the example above only sends to Tableau leaf cert – meaning only my-server-cert. This means for Tableau to trust the certificate my-server-cert has to be installed as trusted.

Self-signed Certificates

Self-signed are certificates which are not signed with any other certificate.

For self-signed certificates to be trusted they need to be installed on the client machine (machine which runs Tableau Desktop or Server).

TabPy v1.1.0 released

TabPy version 1.1.0 is released: package – https://pypi.org/project/tabpy/, release on GitHub – https://github.com/tableau/TabPy/releases/tag/1.1.0.

You can update your TabPy with the following command (you’ll need to stop all running TabPy instances first):

pip install --upgrade tabpy

New release main improvement is for /info method (https://tableau.github.io/TabPy/docs/server-rest.html#get-info) – now it checks for credentials to be provided if TabPy is configured for authentication. The improvement won’t affect any older Tableau Desktop or Tableau Server versions which already had support for TabPy authentication.

For how to configure authentication for TabPy read How to configure TabPy with authentication and use it in Tableau.